Wrapper API for using Microsoft Active Directory Services

If you develop web applications with Microsoft® ASP.NET and have the need to secure your site from unauthorized access, you have surely investigated the various authentication and authorization techniques that ASP.NET 1.x enables. This article discusses how to use Microsoft Active Directory Services

Overview

Applies To

Microsoft® ASP.NET 1.x

Microsoft® Visual Studio® .NET 2003

Microsoft® Active Directory® Services

Summary

If you are developing web applications utilizing Microsoft® ASP.NET and have the need to secure your site from unauthorized access, you have surely investigated the various authentication and authorization techniques that ASP.NET 1.x enables. This article discusses how to use Microsoft Active Directory Services by using the developed wrapper API.

Contents

Active Directory provides the ability to authenticate and authorize users from a centralized location, so users don't need to remember the password for every application, if they use Active Directory for authentication. Microsoft uses Active Directory in almost all of their application servers like Microsoft Content Management Server, Microsoft Share Point Portal Server, Microsoft CRM, and Microsoft Exchange Server etc., for centralized authentication and authorization purposes. As Active Directory is integrated with the Windows Operating System, very intrinsic support is available at a very low level.

The Active Directory Services Interface (ADSI) has always been a very effective way of dealing with users in a Windows network. The System.DirectoryServices namespace gives users access to some rudimentary user administration via ASP.NET. ADSI classes in the DirectoryServices namespace enables programmers to access ADSI objects using the System.DirectoryServices namespace.

Active Directory is simply a hierarchical, object-oriented database that represents all of your network resources. At the top, there's typically the Organization (O), beneath that Organizational Units (OU) as containers, and finally, objects that consist of your actual resources. This hierarchical format creates a very familiar and easy-to-administer tree for systems administrators. For example, if you assign an OU access to a given resource, that access will also be persisted to the objects that are contained within it.

Active Directory Services is a bit complex, so to make it more user friendly, I created a wrapper API in VB.NET and C# .NET, which performs all the operations a developer needs in order to navigate the Active Directory.

By using the wrapper API, the developer can do the following operations:

Note: Here in the 'ADUsersPath' key, the value ("OU=DeveloperDepartment,") shows the OU= Organizational Unit in the Active Directory as an example. You can write any of your organizational units or create a new one for testing.

Go to IIS, select the website, in the Properties window, select the Directory Service tab, in Authentication and Access Control Options, click the Edit button. It will open the Authentication Methods window, select Anonymous Access and enter the Domain Administrator Account user name and password, and select Integrated Windows Authentication, as shown in the following figures:

I have demonstrated how easy it is to navigate Active Directory objects by using the wrapper API which uses System.DirectoryServices. In the next release of my wrapper API, I will demonstrate how to manage Active Directory Roles and Permissions by using the wrapper API. I have given the API in both VB.NET and C#.NET, and you can use it in both Windows and web based applications.

Share

About the Author

Adnan Ahmed is SharePoint Architect in Version 1(http://www.version1.com), the IT Consulting Company in Ireland and has involved with many large enterprises to help them realise real benefits of SharePoint 2007|2010.

Comments and Discussions

I encountered one problem. When I try to remove a user from a security group by using the
RemoveUserFromGroup (string UserDistinguishedName, string GroupDistinguishedName) method. It gives an error saying "Unspecified error". Any pointers on what I should check for??

When I manually get into AD, I am able to delete that group. Please suggest!